Posted
by
timothyon Thursday April 24, 2014 @08:48AM
from the and-moving-forward-henceforth dept.

wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."

Forgive me if I'm hesitant to trust a company that does everything in its power to crush open source. They are not OSS friendly. MSFT is patent trolling here. Nothing more. They will encourage OSS projects to spring up that violate their patents and wait for the right moment so that their competitors are using the OSS and then wham -- lawsuit. Apple and Google are doing this too for the same probable reason. Of course I could be somewhat wrong, but my caution & cynicism is not entirely wrong.

Nothing is wrong with this picture. Like pretty much every tech company, the future of Microsoft relies on a vibrant, healthy, and growing internet - and there is still lot of room grow. Helping to fine tune the world of Open Source results in expanding needs and infrastructure, which invariably means that Microsoft software will find a way to be involved. Helping Open Source is a fast-track to expanding profits, fighting Open Source is a task for Sisyphus and they know it. There is no reason that Open and closed source cannot coexist in this world.

Disclaimer: When I talk about Microsoft's technology, I am not talking about their current consumer OS debacle. I used to be a ZOMG! M$ SUX!!! type, but Microsoft is now an embattled company well aware that they fucked up a lot these last few years. I am curious to see what direction that will take them. I suppose this is part of that. Also, their back end products: Windows Server/Active Directory/Sql server, etc... really are pretty nice. Although I do prefer Linux, FreeBSD and their associated Open Source server solutions.

While MS wasn't hit too hard by this praticular bug, they have been hit by bugs in open source "core infrastructure" libraries before. Anyone remember this: http://www.geek.com/news/micro... [geek.com] ? Basically everything MS shipped had to be patched due to zlib being statically linked all over the place.

Anyway, lots of people run open source stuff on windows servers (well, some do at least...), and it's in the best interest of MS that those boxes are safe.

And last but not least, it's if not free so at least very cheap publicity.

OpenSSL has nothing to do with Linux, other than that a number of vendors that bundle it with their products also bundle Linux. The FreeBSD or NetBSD Foundations would have made as much sense (i.e. none).

The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

While that is correct, the Linux foundation does not focus on security-first. If they cared about things like heartbleed and want the best there is in security, they should have picked the OpenBSD Foundation.

I'm not aware of a FreeBSD foundation or a NetBSD foundation. The Linux Foundation, however, is a consortium that includes several large companies and has individuals experienced with bridging gaps between big corporations and communities. It's also worth remembering that the Linux foundation arose from the merger of Open Source Development Labs and Free Standards Group. When you take in that context, it makes a lot more sense.

Agreed. When you talk about core infrastructure, yes OpenSSL is definitely part of it. But what about the ISC (BIND)? I suppose it could be that the Linux Foundation has the reputation they were going for, but if that was the case why not fund LibreSSL.

Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

Because all those cross-platform hacks directly contribute to its bugginess. The Heartbleed bug was facilitated by a cross-platform reimplementation of malloc that was written for speed rather than security.

And also because the OpenSSL developers have been demonstrated to sit on patches for years instead of fixing bugs.

For a morbidly good time, go look at OpenSSL Valhalla Rampage, [opensslrampage.org] a blog highlighting some of the insanity that the OpenBSD devs are encountering as they rewrite OpenSSL into LibreSSL. It become

As long as they also exclude a bunch of US three letter agencies with a special mention for the NSA, their agents and contractors. Sometimes some sources should be excluded, not to judge anyone, excluding of course the NSA, which of course should now be considered a bunch of security fuckups.

Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.

I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.

Pick a project and donate directly, don't let these giants pick and choose for us!

I don't think it's a PR move. It's in their best interest to fund these projects, and they can cut costs by teaming up on this. It really look good on them, but they're doing it out of self-interest really.

Most likely because their motivation is the (belated; but logical) recognition that it's cheaper to support OSS projects that you use than it is to bear the risk of having them fail or maintain a full in-house fork all by yourself. It's not really a fund dedicated to 'more and better OSS generally'; but an attempt to share (to some degree) the cost of improving and maintaining the stuff that they already use or already depend on in some way.

This does make sense, because it benefits all involved and not a single company/organization has to shoulder all the dev work. Plus, should something happen, the donors are well insulated from lawsuits.

It would be nice to see more projects along these lines. ZFS comes to mind so a drive array attached to a Linux server could be moved to a Windows box and imported without trouble in a production environment.

So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.

It's conceivable that it's just a fit of temper (team OpenBSD certainly did not sound happy about what team OpenSSL had been up to); but it's also quite likely that they are doing it this way because they want it to happen. You can contribute something; but if the maintainers don't accept it, it just sits there. If you and the maintainers disagree on some important points, or they have a strong NIH attitude, this condition may continue indefinitely. If you fork, it's your problem now; but you do get to acce

Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?

Because the OpenSSL people sat around with important bugs sitting in the queue for years and never fixed them. This is why the OpenBSD people---which is where some of the unresolved bug reports came from---decided that basically working with upstream is not an option and decided to go it alone.

In fact that's exactly what the OpenBSD people said about the fork at the beginning.

The problems with OpenSSL predate heartbleed and they've finally got too big for the OpenBSD people to leave it alone. Hence the fork.

Because:1. It's not initially feature-compatible with OpenSSL2. While there is momentum, it's faster to work apart from the existing project.3. There's no guarantee the rewrite would be accepted by the OpenSSL team4. There's no guarantee LibreSSL will work on anything but BSD5. Theo doesn't control OpenSSL

Personally, my hopes are:1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.2. Important bugs identified by both teams are

The LibreSSL team has deleted tens of thousands of lines of code from OpenSSL, saying that one of their key goals is to remove as many features as possible. Their reasoning is that simple is more secure, that features which don't exist can't have bugs.

That principle is correct, unless either:a) It's a feature people need, in which case each code-monkey will scratch out their own homebrew version.

Because the OpenBSD developers are ripping out the destabilizing cross-compatibility hooks. That means that cross-compatibility will be an afterthought, rather than a goal. If you've ever attempted to cross port OpenSSH to an unsupported platform, you'll know exactly the kind of work and maintenance pain this can create.

reading the 'rampage' comments, they're removing quirks, or hacks for obscure or archaic platforms such as ultrix, hp-ux and cray. They mention using a c-library function which does the work of several functions but later it's mentioned that not all platforms implement that library function, since it wasn't part of POSIX.

As for missing c-library functions, implementing those would no doubt help porting of other software packages to a platform that lacks them. (N

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.

Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.

This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.

I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.

Aside from the obvious problem that LibreSSL is currently OpenBSD only with no concrete portability roadmap? There is good reason to question whether performing surgery with a machete is the most judicious response to a breach.

So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

I expect that shortly after, some enterprising person from Debian will do some basic porting and have an alteriative set up in the experimental repo. From there it will wend its way around into the other distributions (mint, ubuntu) and the patch set might wind up in some early Arch AUR builds and Fedora packages. By that stage the OpenBSD people will have probably accepted the patches and it will be officially portable. At this point Arch will have probably replaced it as a system wide depencendy because hey, it can always be unreplaced if it's bad. Gentoo of course will make it easy to switch between OpenSSL and LibreSSL with just a teeny little recompile of everything, but whatever it's just some portage flags anyway. Redhat probably won't care since they're probably on a version of OpenSSL so old that there are no longer any known bugs. Fedora will vascillate between the two and eventually decide to do whatever ubuntu finally chooses.

Then maybe in a while, we'll have an announcement that someone we've never heard of will be heading this terribly important project, and that huge splat of logos will get another outing. I expect this will happen at about the same time that some nutjob finishes a port of LibreSSL to his Amiga.

During the above timespan, I expect to hear about Linux and Theo swearing at people in public and to have some good troll threads on slashdot about geneder equality in IT (or nursing or teaching), 27 articles about 3D printing (guns or otherwise).

It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

No doubt Theo will do a solo run as usual, then bitch about all those ungrateful companies using it and giving nothing in return just like with OpenSSH. Meanwhile, this looks like a genuine attempt at starting a "Linux-style" project with lots of corporate support like the Linux kernel that all seem to have a stake in users trusting their computers for shopping and banking and cloud services and whatnot. Of course Theo can make his heroic and sacrificial stand, but this looks more like collaborative open s

Team up to create the pie, then fight for your pieces. I'm actually shocked Microsoft is participating. It's a good move and I'm not used to seeing Redmond do the smart thing. Maybe their collective IQ went up now that Ballmer is out of the picture.

If the big players didn't jump in and show good faith, that could mean congress could jump in and force some regulations on them.

Laws that may punish the free riders more if their service was vulnerable. Or in general more laws punishing companies for software bugs, will cause havoc with the institution.

Software of any complexity will tend to have bugs... Sometimes these are security bugs. Having them being punished for not being perfect will have a chilling effect on the industry. It is better to show t

My impression (given that they also dedicate a certain amount of time and trouble to hunting bot-herders and assorted similar types) is that Microsoft takes an interest in things that facilitate malware distribution, since their customers often take the hit (not necessarily because of an MS zero day; lots of systems running well behind on patches and users clicking on trojans and merrily executing them, along with anything Adobe or Java related).

Frankly the only reason I think these multibillion dollar monopolistic companies have banded together to throw money is because their reputation and userbase have clammored for some kind of response to the problem.
lets be perfectly clear: Theo De Raadt is completely capable of handling the code refactor (he even went so far as to say he didnt need help with the code projects website.) going to the Linux foundation just shows how fucking shortsighted these guys are. If you want to help, donate to the OpenBSD [openbsdfoundation.org] foundation because this is a BSD package that was kindly ported to Linux. It will be released as LibreSSL, not the OpenSSL you want to "fix" in your products, as the code is completed and tested in accordance with what I presume is an OpenBSD development model, not Linux. And in regard to the 'other open source projects will follow' statement, its arrogant and absurd to think that once the LibreSSL code is finalized and ported that these dicks are going to stick around and continue to contribute to any open source technology that doesnt clandestinely butter their bread in user facing products that happen to be facing a sev. 1 exploit they cant avoid through marketing or a new product.

Linux does not have a monopoly on Open Source. Open Source spans several platforms. Nowhere is it written that all of this money will be spent on Linux or limited software designed specifically Linux. I doubt that the likes of Free and OpenBSD will be left out in the cold - it simply wouldn't make sense. Even if that were the case, any Open Source software of the very particular nature we are talking about here (low level infrustructure), is by default software that gets builds for those operating systems a

Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.

OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.

People here are already complaining. The whole operation seems pretty straight-forward to me. Make a fund, get some people to administer it and ask some big corporations to donate a tiny percentage of their profits to help fund some infrastructure projects we are all relying on.

I can see some people being anxious their pet projects will not get funded, but come on! One free software project in need receiving funds is better than nothing.

Maybe the fund will be mismanaged or whatever, but in the worst case th

A lot of these people have shit colored glasses bolted to their skulls. Combine this with an irrational hate for anything corporate and there you go; petulant little office trolls emoting on Slashdot.

Theo et al. have and are publically seeking for both individual and corporate [openbsdfoundation.org] support for both the OpenBSD Foundation and LibreSSL [libressl.org], and are specifically seeking a "Stable Commitment of Funding."

Unlike some of the malcontents that haunt Slashdot, they actually spend their time writing open source code. As such